Privacy plan

The RTA is committed to protecting our clients' privacy.

The Information Privacy Act 2009 (Queensland) (the Privacy Act) gives all members of the public the legal right to access and amend their personal information. It requires the RTA to safeguard personal information it holds and disclosures can occur only when the individual it relates to provides consent or where it is required and authorised under law.

The Privacy Act is based on privacy principles which establish the rules agencies, such as the RTA, may collect, use, store and disclose personal information and how members of the public may seek access and/or amend their personal information.

2. Legislative environment of the RTA

The RTA operates within the confines of other legislation governing public sector organisations such as:

Right to Information Act 2009

Information Privacy Act 2009

Financial Accountability Act 2009

Auditor General Act 2009

Public Records Act 2002

The RTA is also subject to other legislation which may legally require the RTA to provide information to external organisations on request, such as the Queensland and Federal Police Services and Office of State Revenue.

3. Types of personal information held by the RTA

The RTA collects, stores and uses personal information in the following ways.

3.1 Personal information about employees and prospective employees

This is required so that human resource management functions can be carried out for prospective and current staff. These functions include leave details, performance management, training, staff selection and information required for reporting against public sector requirements such as target groups.

Collection is authorised under the RTRA Act and the Privacy Act, relevant legislation (such as taxation and financial administration requirements) and internal policies and procedures. Specific provisions relate to conciliation conducted through the dispute resolution service, which protects the confidentiality of the conciliation process and prevents any information from being released about the process.

3.3 Personal information about vendors

This information allows normal business processes to take place. Examples of information collected include: names, addresses for payment, bank account details to allow for electronic payment of accounts and Quality Management processes to monitor Rental Bond Direct Credit and Email Notification Statement of Agreement and ensure business processes are aligned.

Collection is authorised under the RTRA Act and the Privacy Act, relevant legislation (such as taxation and financial administration requirements) and internal policies and procedures.

3.4 Other personal information

This is collected in the process of fulfilling other RTA activities, such as statistical research, community education activities, policy work and corporate communications. Examples of information collected include: names and addresses of clients to receive information from the RTA, generic information to provide statistics and analysis of the industry, opinions (such as client feedback) and photographs for use in publications and displays. No personal details are released to external organisations for unsolicited mailing lists.

4. Existing contracts, licenses and outsourcing arrangements

The RTA has in place agency agreements, outsourcing arrangements and contracted suppliers to deliver services on behalf of the RTA more cost-effectively. These include outsourcing to a mail house to generate and post receipts for rental bonds, Notices of claim and receive general RTA mail, and an agency contracted to distribute RTA forms.

Any third party organisations which have been, or will be, contracted to perform services on behalf of the RTA will be required to be bound by the same privacy principles to which the RTA adheres.

5. List of public registers managed within the RTA

The RTA does not maintain any public registers.

6. Information Privacy Principles (IPPs) and RTA implementation

RTA staff are made aware of their responsibilities to uphold privacy requirements and to comply with the requirements of the Privacy Act and related guidelines through training sessions and changes to documented procedures and policies.

6.1 Collection (IPPs 1 to 3)

RTA service areas continually review all forms and monitor processes for requests to collect information from clients or employees to ensure that notification requirements (as per IPP 2) are met, and authorisation for further disclosures is covered where necessary to the operation of the RTA service. The RTA's website is similarly noted.

Staff in service areas which collect personal information by telephone (such as the Client Contact Centre and Dispute Resolution Services) will notify clients of matters and obtain consent to further disclosure, where necessary. As well, letters confirming notification and consent can be forwarded to clients following telephone contact, if required. Where telephone conversations are monitored by recording for quality control, training or supervision purposes, clients are advised of this at the outset of the conversation, such as through the messages-on-hold service.

6.2 Storage (IPP 4)

The RTA has policies regarding information storage and will further develop and review separate policies for storage of electronic and paper information to safeguard information in line with the RTA's and whole-of-government policies.

6.3 Access and Amendment (IPPs 5-7)

The RTA has in place processes allowing clients to access their personal information and request amendments to be made. This is detailed in sections 7 to 12 of this plan.

6.4 Use (IPPs 8 to 10)

Where information is to be used for research purposes, this will take into account guidelines including those prepared by the Officer of the Federal Privacy Commissioner, Office of the Information Commissioner Queensland or with a relevant Privacy Code of Practice if such code exists. Where information is stored in a computerised database, service areas ensure that appropriate descriptions are used to avoid errors or misinterpretation of data and standards are adopted which allow consistent transfer of information between areas within the RTA.

Standards have been adopted, in relation to the functions and purposes of the particular service area, to ensure personal information is used only for the authorised purposes for which it was collected. Authorised purposes include the delivery of rental bond services, dispute resolution, investigations, policy and research, community education and information services. It may be used internally to improve service delivery and to directly target clients, for example information and education campaigns, to research emerging issues in the rental sector and to establish client satisfaction levels with RTA services.

Where information is to be used for research purposes, this will take into account guidelines including those prepared by the Office of the Federal Privacy Commissioner or with a relevant Privacy Code of Practice when such Codes come into existence. For example, in specific research projects authorised by the RTA, clients will be contacted by the RTA and asked whether or not they want to participate in identified research projects, and will be given the opportunity to opt out of the research group if desired.

6.5 Disclosure (IPP 11)

Service areas have written procedures to cover the main kinds of personal information staff can be expected to disclose and identified the authority for such disclosures. Staff with frequent contact with RTA clients are given additional training in the application of the IPPs to disclosure in the context of their service area's functions.

Information disclosed by the RTA or any of its service areas for research purposes generally will not contain personally identifying information. In instances where clients are to be contacted by a contracted external research company, for example, the RTA will send out a letter providing clients with the opportunity to "opt out" of the selection pool.

The RTA also abides by Queensland Government protocols for the disclosure of personal information in Ministerial correspondence.

7. Access to personal information about self

Clients have the right to access and amend their own personal information in accordance with IPP 6 & 7 of the Privacy Act.

Requesting access to personal information can be made either under the RTA’s Administrative Access Scheme or formally under the Privacy Act.

The RTA’s Administrative Access Scheme is an easier and quicker process than the formal Information Privacy application process. In most cases, the scheme is used for applicants who require access to their own personal information. Further information regarding this scheme can be found on the RTA's Administrative Access Scheme page of this website

To make an application to access personal information held by the RTA under the Privacy Act, clients are to provide a written notice:

containing your address and ideally your contact details so that we can discuss your request

containing details of what information you require

using the application form available from our office or download from the website

There is no charge to lodge a request for your own personal information. Information will not be provided to any applicant until acceptable proof of identity is provided.

8. Access to personal information about others

The RTA controls access, use and disclosure of personal information through a variety of mechanisms including physical, electronic and system security controls and by providing its staff with training.

The RTA is committed to protecting the personal information that it holds and will not release an individual's personal information to any other person or agency unless authorised under IPP 11.

Such circumstances where personal information may be disclosed under IPP 11 include:

where consent has been provided by the person that the personal information relates. Commonly this will either be through an IPP2 Privacy Collection Notice or through a later consent notice or instruction

if it is authorised under a law, such as the Income Tax Assessment Act 1936 & 1997, Social Security Act 1991 etc

where it is necessary for law enforcement purposes, such as by the Queensland or Federal Police, ASIO etc

if the RTA believes that it is required to prevent a serious threat to an individual’s life, safety or welfare or public health, safety of welfare

where there is a very strong public interest in using the information for research, analysis or compilation of statistics.

Where a third party is acting on behalf of the RTA, the third party organisation will be required to comply with the same privacy rules.

Where one party to a bond or dispute, requests personal information relating to another party (to a bond or dispute), the RTA will only disclose non-personal information unless consent has been provided, that is, the RTA will mask, delete or blank out personal information. The RTA does not provide any information to other agencies for direct or commercial marketing purposes unless consent has been provided.

9. Amendment of personal information held

Applicants may request amendment to their personal information if they believe the information is inaccurate, and, given the purpose of the information, irrelevant, incomplete, out-of-date or misleading.

If it is decided to amend the information the amendment may be carried out by making a correction, deletion or addition to the information.

Before making a formal application for an amendment of personal information, contact the RTA as the RTA may be prepared to correct the information without the need of a formal application.

A formal application for amendment must:

be in writing

contain your address and ideally your contact details so that we can discuss your request if necessary

contain details of the information you believe to be inaccurate, irrelevant, incomplete, out-of-date or misleading

specify the amendments required

use the application form available at our office or download from the website

1. Definition of personal information

For the purpose of identifying information to be managed in accordance with the requirements of the Information Privacy Act 2009 "personal information" is defined as:

"information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."

10. Internal review

Any individual that is dissatisfied with a privacy access or amendment decision may request an internal review except where the decision has been made by the Chief Executive Officer of the RTA. An internal review may only be made:

by an individual

about a decision made by the RTA or a third party acting on behalf of the RTA

about the personal information of the individual making the complaint

where the complainant believes that the RTA decision does not comply with the IPPs or the Privacy Act; and

11. Internal review - agency processing

The RTA is required to make a decision in regard to an internal review request within 20 business days from the date the application is made and inform the complainant in writing of the decision including any further appeal (external review) rights.

The internal review will be undertaken by a person more senior than the original decision maker and will consider the original access or amendment application as if it where a fresh application.

12. External review

Should an applicant remain aggrieved by a privacy access or amendment decision after internal review they may seek external review through the Office of the Information Commissioner (OIC). Refer to the OIC website for further information.

13. Privacy complaints

If you believe that the RTA has breached the IPPs of the Privacy Act on or after 1 December 2009, you can make a complaint via RTA’s complaints management process. If the complaint is not resolved to your satisfaction, and more than 45 business days has passed since the complaint was made, you can take your complaint to the Office of the Information Commissioner. The Office of the Information Commissioner will handle the complaint in accordance with its Privacy Complaint Handling Policy.

The RTA collects personal information from clients to perform key functions in accordance with the Act such as: information and education services, dispute resolution services, rental bond, management services (including eServices), statistical and research services, policy development and advice services and an investigations service.

Without personal information the RTA cannot provide secure and relevant client services, particularly for bond custodial services and dispute resolution. Protecting the privacy of clients has always been a key part of normal RTA operations when performing services and has been further formalised through the development of the RTA Privacy plan.

This Privacy plan outlines what type of personal information the RTA collects, how it is handled and how clients can access and amend personal information held by the RTA. It has been developed in accordance with Queensland Government requirements.